Hey guys and gals of the security community.  James Fitts here, I’m the new guy on the block over at SecurityAegis.com.  I’ll be blogging and helping out with some of the projects we have going on.  But enough about me, lets get down to the meat and potatoes.

We launched the Open Pentest Bookmarks Collection a little over two days ago, and let me tell you, the response has been amazing!  We’ve had over 500 downloads, 1000′s of unique visitors, and a ton of link submissions.  We’ve been working hard on going through the submissions and decoding what should be included and I’m happy to say that we’ve released version 1.2.  This version contains a lot of the user submissions from over the past few days, with some minor additions of new categories or subcategories.

We’re still looking for more contributions.  If you feel you have some great links, send them over!

We want to take one second to thank some awesome people tweeted us out:

HD Moore
Andre Gironda
Rapid 7
The Metasploit Project
Rob Fuller aka Mubix
Dave Kennedy
Chris John Riley
D3v1l of SecurityShell
Black of Pentestit
Sam Bowne
Thealuc
and Daniel Miessler of HP

If you don’t follow these people, you should be They are all on Jason’s twitter ninjas list

You can grab the download at the following URL:

http://code.google.com/p/pentest-bookmarks/downloads/list

Words From Jason:

Some questions we received from users:

Why not use a social bookmarking site?

Well, we don’t really like them. They offer tagging but as long as we keep the list categorized well we will stick with this format… for now. Again this is the OPEN Pentest Bookmarks Collection so feel free to port it if you so desire.

Why didn’t my bookmark make the cut?

We hate to be choosy with an open source project but we wanted to keep the bookmarks very fresh and relevant. Who made us judge and jury? um… googlecode apparently. Hell, we even plan on pruning some of the initial ones we picked out (don’t worry all revisions should be documented). If your link didn’t make it, we apologize, we have only so many categories and we don’t want the collection to headsplode too fast.

Can I help with parsing/project work?

Right now we have 4 owners and 1 contributor who are contributing part time and it’s enough. We will reach out if we need some more people. Thanks for all offers =)

The Open Pentest Bookmarks Collection v1.2 belongs to Security Aegis

The Open Penetration Testing Bookmarks Collection

…is just that, a collection of handy bookmarks I initially collected that aid me in my day to day work or I find in the course of research. They are not all inclusive and some sections need to be parsed but they are all good reference materials. I find having this Hackery folder in Firefox an easy way to reference syntax, tricks, methods, and generally facilitate and organize research. Hopefully the initial set will grow and expand.

Opening it up to everyone will facilitate a knowledge transfer.

How it’s working atm:

First off, we need help. OCD organizational people and people who can contribute or sort out the best links. Comment on the wiki if you wanna pitch in. Free beer at con’s

The whole bookmarks html file is ready for import to firefox off of the downloads section. As people submit new links we will add them and restructure the categories as they expand. Otherwise the wiki page should have all the links piecemeal should you not decide to download the whole folder (which is lame).

How to submit your bookmarks:

Since a bookmarks file is not really what you usually use a code repository for we opted just to use the download and wiki sections of google code.

If you have suggestions or a few links to submit, leave a comment on the wiki page.

If you think you have a large set of bookmarks you think can contribute email us and we’ll add you to the contributors section. The general categories are Listed on the main page.

http://code.google.com/p/pentest-bookmarks/

The Open Pentest Bookmarks Collection belongs to Security Aegis

I went and hunted this vid down and re-watched it to affirm that in the general theme of mobile pentesting I wasn’t missing anything blatant. I remembered this talk for a reason, it was very good.

Apologies for the horrible resolution, the stream was a whole track of talks and already horrible quality, I just wanted to throw this one out on the blog.

It Melts in Your Hand: Mobile Hackery from Securityaegis

Some tools mentioned:

undx
Smali / baksmali
IDA pro w/ ARM support
Black Berry Swiss Army Knife
coddec
JAD
Wireshark
Burp proxy
Mallory

Thanks to the guys at Intrepidus and Zach Lanier for the talk. A round of beers next BSides. More tech talk on Android decompiling here.

Update:

Seems Intrepidus has some more resources out there that are interesting:

TEAM JOCH vs. Android: The Ultimate Showdown
Jon Oberheide and Zach Lanier

Video

Today there is a webinar focusing on getting into the stream of mobile apps.

Mobile Hackery belongs to Security Aegis

Whitepaper from Blackhat DC here.

Neurosurgery with Meterpreter belongs to Security Aegis

Using scripts like this allows for easier tool interoperability, faster finding reporting, etc (not to mention they are command line). They also save time by being able to parse out generic or common findings. This time saved not infrequently lets you pop a few boxes that you need to create custom/modified exploits for or research more difficult findings.

I do this a lot, but from a different approach. Using plugin ID's and outputting to standalone txt files for importing into other tools, and in BASH

When you do a lot of external scoped projects with vulnerability scanners you tend to notice a few common low level vulnerabilities. These are things like:
 

• Weak SSL ciphers
• Self signed Certs
• SSLv2
• Expired Certs
• IIS /image and content-type internal IP leaks
• Trace/Track Enabled
• Weak SSH
• Non Encrypted Remote administration protocols
• SMB shares
• Webserver expect XSS
• NTP Servers
• etc…

My extparse.sh script parses all this and also all webservers, all bruteforcable remote administration services, and all mail services for later inspection and bruteforcing.

These Nessus plugins/findings are very common and highly reliable, so parsing them out early hardly requires any manual poking and prodding. In a goal oriented pentest I only use the bruteforcing and identification output of my script but in a assessment type scope they are included as findings.

It then becomes really easy to automatically feed these hosts into command line tools like nikto, ncrack/medusa, wfuzz, etc. All with the mindset of saving time for things I'm more inclined to need to research or modify. My simple script is in bash and serves my purposes well.

That parser is for external facing hosts.

I also have written a ghetto Nessus parser based of a policy file for finding Metasploit exploits. msfparse.sh

You can view the source to see what it checks for, but it's nice to run on your NBE's to  identify some easy shells. It's a tinsy bit old and needs to be checked for newer plugins, i'll try to get on that soon. Still serves me well though.

And lastly I made a diff tool to take nmap output and diff it against Nessus output, helpful to see when hosts from a initial nmap scan have now not responded to your Nessus vuln scan (due to blacklisting).  nnparse.sh

So, I hope these parsers help you with your pentests or assessments, feel free to yell at me for suggestions, plugin additions, and flaming =)

Happy hacking… or uh… Nessus'ing

-Jason

Nessus Parsing… 101? belongs to Security Aegis

An introduction to the Nmap Scripting Engine by David Shaw:

Intro to Nmap Scripting from Securityaegis on Vimeo.

Slides: http://www.securityaegis.com/nse.pdf

PCAP analysis and File Carving by Nate Drier:

Intro to PCAP analysis from Securityaegis on Vimeo.

Slides: http://www.securityaegis.com/PCAP.pdf

Nmap Scripting and Pcap Analysis belongs to Security Aegis

When making the slides and presenting them in our hotel room we realized going through everything we wanted to was not feasible in 20min. So, keep an eye on twitter to see updates and blogs on follow ups. Please be advised, drinking usually impairs our follow up times.

For now, here are the talk slides:

http://www.securityaegis.com/burp_preso.pdf

Feel free to email me with any questions =) jason.haddix {a-t} hp {d0t} com

Update:

Video available here:

http://www.securitytube.net/video/1510

Pentesting with Burp Suite: Taking the Web Back From Automated Scanners belongs to Security Aegis

This year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray's "Advanced Penetration Testing: Pentesting High Security Environments" course from his training entity LearnSecurityOnline.

Since I'm already doing pen testing full time I feel like it's a tremendous opportunity to see what techniques other testers use. I'm definitely not arrogant enough to think I know everything, but I do know Joe is tremendously skilled and has many more years "in the game" than I have. What an opportunity for me to learn from the best.

Joe's class is presented as higher level pen test course. There are no real introductions into pen testing theory, tools, or syntax. APT is largely comprised of labs and demos. The course also has a very unique structure. It comes from the mindset of attacking from the outside (web) and pivoting through the DMZ to the LAN. There is a lot of emphasis on stealth, persistence, and evasion. Even if your testing isn't scoped this way it is a powerful ability to be able to show your clients how one seemingly innocuous web flaw can lead to network disaster. Regardless, I found that this class was beneficial even to those that separated web and network scopes.

This review covers the course offered in conjunction with Black Hat Training at the venerable annual event in 2010 and will take a detailed look at the 2-day agenda, coverage of the 5-Day version of the course, thoughts on presentation and technical content, conclusions made as well as modest recommendations.

Day 1: Identifying Defenses, Stealth, and Attacking from the Web

The first part of the day consisted of reviewing (quickly) the more intricate details of information gathering (passive recon, OSINT, etc.). Truth be told, this was the only part of the class that didn't have live examples, but it was only due to the Black Hat network not cooperating. Most of the class was hands-on, using pre-built VMs to attack servers Joe's interns managed up front. The OSINT material was current and up-to-date with what I’ve only seen a few pen testers cover.

Moving on, we went over techniques to identify virtual hosting, load balancing, WAFs, IPSs, etc. Joe carefully explained the types of devices and filtering he has come up against in real pen tests. The great benefit here is Joe's research into these devices' signatures and potential bypasses. Joe's next step involved setting up all of your standard web pen test tools to use tor, proxy lists, and other trickery to mask your attacks. This was especially interesting as Joe demonstrated some really sly ways to keep from being blacklisted.

This segued right into his module called "SQL Injection to Command Shell." Joe takes you through the ways to identify SQL injection (as well as LFIs and RFIs), and then through exploiting an ASP app first manually and then by using automated tools. Joe also provides some his favorite tools/scripts that were custom patched for identifying and attacking these avenues. Besides some issues with VM installations, day one was refreshing, up-to-date, and an advanced glimpse of practical web hacking and stealth for enterprise pen testers.

** Side note**

Joe's APT class is normally a five-day course. This incarnation of it only saw 1/5th of the total modules he trains at a full-length class. Fortunately for the students of the Black Hat training, Joe went over certain modules live and then provided the lab guides with a few additional modules that were not possible to demo at Black Hat. Even with the additional modules in the book, there was a good 75% more content to cover. In an attempt to fairly review all the content, Joe sat down with me personally to go over each additional section. I will try to cover this additional information at the end of the two-day description.

Day 2: Metasploit, Pivoting, Persistence, and Evasion

With the VM issues mostly resolved, the second day moved at a faster pace. To me, it provided a lot of insight on attacking more secure environments. Day 2 was filled with tons of Metasploit including tips and tricks on using incognito, getpriv, pass the hash, and more. What I liked about this day is that Joe pretty much tailored it around bypassing anti-virus solutions and evading IDS/IPS. It also was useful that for every function in Metasploit, there seemed to be a stand-alone script that he provided for performing similar functions. This way, if you didn’t have a Meterpreter shell with the built in 'hotness,' you at least had some functionally equivalent code to use with your bind/reverse shells.

Since we were running low on time, Joe slightly touched on post exploitation and persistence. He then moved straight into attacking and bypassing AV + GPOs labs which were great. Joe goes over these sections both from an “i just popped a box” standpoint and an “i just sat down at this kiosk/locked down machine” avenue. This section was particularly impressive due to one of Joe's students actually modifying some tricks of Joe's and finding a previously undiscovered “old-school” privilege escalation attack (alternate data stream) in the High Security GPO VM we were attacking.  The last part of the day covered some techniques to bypass port security and NAC solutions, which were very informative. All in all, Day 2 was my favorite.

Extras and 5-Day Content

With some students having had VM troubles Joe really wanted them to head home satisfied with the course. Towards the end of Day 1, Joe took a class survey to assess what the majority of the class was interested in (IE, attack vectors, methodologies, tools, etc.). Later on Day 2 he actually provided us his personal Web Application attack methodology, Nessus policy files for specific Metasploit exploits, his AV Disable tricks module, his exploits by OS cheat sheet, his privilege escalation cheat sheet, and more. These are all tremendously useful resources.

As mentioned, I had the opportunity to check out the full 5-day content. Obviously with the instructors and labs not present, you'd expect to be underwhelmed, but that was not the case. Represented within the 5-day material there was a module for almost every advanced attack type or tool I have seen blogged or presented in the last year. This includes advanced attacks for XSS using BeEF and XSS shell, bypassing flash logins, attacks and useful payloads in SET, using metaphish for more fun and profit, web payloads, MiTM with ettercap + SSLstrip, Custom MSF trojans, karmetasploit, tons of post exploitation tricks, and just really too much to be listed here. All in all 36 modules, a handful of custom patched tools, and several cheat sheets will clearly make for a jam-packed 5-day course.

The Skinny

Presentation and Delivery: 9/10
Technical Content: 9/10
Value: 9/10

Presentation and Delivery Notes

Joe is a unique instructor. He teaches with a certain enthusiasm that is infectious. As mentioned he also tailors the class dynamically to what his students want to learn. In addition he had some great teaching aides, Jason Vaan and James Fitts, who kept the network running and assisted with all the labs. All the teaching staff was available for questions regarding anything related to pen testing, which included staying after the allotted Black Hat hours and lunches to have a drink and swap tricks of the trade. On several occasions students would come up with good ideas that went along with the courseware to which Joe would immediately take notes and offer to help code up the attacks or ideas they had. When hard times arose with the VMs, Joe's team worked into the late hours of the morning to re-burn the images and make the class flow smoothly the next day. All of this, in addition to the fact that the class is lab driven, would have rated a 10/10, but the VM situation, which I have been assured after this course will be remedied, deducted a point.

Technical Content Notes

A lot of people say there isn’t any magic left in pen testing; that it's all been documented. But this class gave me more than enough hacks to take home and drop some shells. It focused on exactly what it advertised and with great quality. Every module covered was both step-by-step and also contained the technical details of the attacks. The tools and techniques were very current, and, since Joe knows almost everyone in the pen test social circle, you could see that he worked hard on incorporating the newer ideas and concepts into the methodologies. As a course reviewer I’ve been lucky to see some really good classes (as well as some horrible ones), and APT is the closest I've come to yet to wanting to award a 10/10 score on content. Alas, I'm one of those guys who is always under the impression that there is more fu out there and therefore will be hard pressed to actually give up a 10/10.

Areas for Improvement

Two days was not enough for the class. Although this was hardly the APT team’s fault, after seeing the whole of the content, you could tell that there was so much more that the course offers in its five-day version. The VM situation was a real difficulty the first day, and frustrated some students. After talking with Joe post course, he has assured me that they have rebuilt the VM images, and started to move to USB as a delivery media as opposed to CD/DVDs.  On the true content side of things, I have no criticisms. The course was technically solid. I did hear a student complain that the course did not have an intro to developing exploits, but that's not what the course is really about. It focused on practical pen testing against current, high security environments. If you want this type of course, hold your horses a bit until Joe and his team release some details on their actual reverse engineering and exploit dev class. Another point, not necessarily a criticism, is that I’d love to see this course offered online. Although Joe and the APT crew fly the hacker con circuit pretty extensively offering this course to the masses, an online version would really challenge some of the lackluster training programs out there.

I'll keep the closing quote simple:

“If you have any remote chance to take this class… make it happen. You won’t regret it.”

** Another Side Note **

After finishing this review I have been informed that Joe is giving an APT class on Dec 13 – 17, 2010 in Maryland. It will be the full 5-day course and even have updates to the content listed here.  Don’t miss it.

Review: Advanced Penetration Testing (APT) belongs to Security Aegis

First things first, most of these addons will have compatibility issues. To update a Firefox addon:

• download xpi (right click "save target as" from the download button on addons.mozilla.com) 
• Open with with winrar
• Open install.rdf with a text editor
• Change the <em:maxVersion>3.xxx.xxx</em:maxVersion> line to your current Firefox build
• save
• open the xpi file with Firefox

Now, here is what I use regularly:

MultiProxySwitch or FoxyProxy - for fast switching to Burp or Tor

PassiveRecon - for OSINT style gathering

ShowIP – show server IP and additional possible IPs if load balanced, also can right click to get netcraft info

Live HTTP Headers – for checking for load balancing et al

Wappalyzer and Backend Software Information – To identify platforms, frameworks, and common apps

Hackbar – for fast submission of post requests without firing up Burp, also has great encoding support. I love Hackbar.

Add n Edit Cookies – invaluable for cookie inspection and testing

Firebug or WiderBug (thanks Andre!) – because its awesome

Lazarus – So i never accidentally forget an injection string i already tried

FxIF - Usually used for metadata analysis in CTF's

Fireforce - I usually use Burp Intruder to bruteforce forms based auth, but fireforce is still neat

Although i don't really use them much greasemonkey with Whiteacid's XSS assistant (careful with this one),  XSSme, SQLinjectME, and SQL Injection! are all good addons for testing injection. They also have good injection regex's to steal for use in other tools.

For general browsery  I use Readitlater and xmarks to keep up a good reading list across all my boxes

For Browser Scripting I use iMacros for Firefox

Caveats:

There was a presentation by Michael Schearer "theprez98" called "Pen Testing the Web with Firefox" , check that out. Also there is a huge mozilla collection called FireCAT by Securitydatabase.com. I like some of the tools but i feel installing the whole collection bloats my browser too much.

Anyways, that's all for now. Happy hacking!

Hacking with your Browser belongs to Security Aegis

Every year we head to the desert to learn the newest attack/defenses in the world, to share groundbreaking ideas… but not least of all, to have some fun!

Who?	When? (July)	Time	Where?	Link/RSVP	Why?
ModSecurity Happy Hour	Wednesday 28th	4-6pm	munchbar @ Caesar's Palace	open to anyone	modsecurity is awesome
MAD & Nitro Security Party	Wednesday 28th	8PM-10PM	TBA	Invite only	Go to the Nitro Security booth for invite
Black Hat Crawl by Stonesoft	Wednesday 28th	6PM-9PM	Trevi Room, Caesar’s Palace	http://www2.stonegate.com/l/1912/2010-07-13/2895X	pinata and ipad contests
Tenable Party	Wednesday 28th	8:00 p.m. – 10:00 p.m	Margaritaville	http://www.tenable.com/bhparty2010/	Nessus is win, most of the time. Beer and Margaritaville's world famous margaritas will be served. The first 100 people through the doors will receive a Tenable Hawaiian Shirt and a Nessus Cigar.
IOActive Cocktail Party	Wednesday 28th	8:00 p.m. – 10:00 p.m	Spago	Invite only	pick up invites at booth #63
Mcafee Party	Wednesday 28th	8:00 p.m. – 11:00 p.m	Vanity @ Hard Rock Hotel	Invite only	stop by McAfee booth #18
Rapid 7 Party	Wednesday 28th	9:00 p.m. – 02:00 a.m	Palms Fantasy tower	http://www.rapid7.com/forms/black-hat-rsvp.jsp	Open Bar, GoGo Dancers, HD Moore.
Qualys Party	Wednesday 28th	8:00 p.m. – 02:00 a.m	Jet Mirage Club	http://www.qualys.com/company/events/tradeshows/blackhat10/	Dance the night away to Tainted Love (a top 80's cover band) and DJ DIRTYHERTZ at one of the hottest Las Vegas nightclubs JET (JET is really nice)
Madiant Schmooze	Wednesday 28th	7:00 p.m. – 09:00 p.m	Shadow Bar Inside Caesar's Palace	http://www.mandiant.com/news_events/forms/shadow_bar	Random Google Find – dunno – open bar sounds like.
SourceFire VRT Adobe Haters Ball	Wednesday 28th	8:00 pm to 11:00 pm	Casa Fuente, Caesars Palace	Invite only	beg @VRT_Sourcefire for an inv? I dunno -_-
NetWitness	Wednesday July 28	9 pm – 12 am	PURE @ ceasars	http://netwitness.com/resources/register/blackhat2010.aspx	???
FishNet	Wednesday July 28	?	Rhumbar	http://is.gd/dy4RY	???
Cenzic/Dasient	Wednesday July 28	9 pm – 12 am	Caesar's Rainman Suite	http://blog.cenzic.com/public/item/256749	stop by the Cenzic booth (#38)
TippingPoint ZeroDayInitiative 5 Year Anniv Party	Wednesday July 28	8 pm – 12 am	Hard Rock Hotel SkyBar	Invite only	i hear ZDI throws a good party
BSides	Wednesday & Thur 28/29 ·	???	2810 East Quail Ave., Las Vegas, NV, 89120	http://www.securitybsides.com/BSidesLasVegas	While not an "official" party, Bsides is a party by itself. Ask around and i'm sure there will be something going down… I mean c'mon… it's Chris Nickerson running it!
WhiteHat & Accuvant	Thursday July 29	?	PURE @ ceasars	Invite only	"swing by the booth and say hi and if we have any left – grab an invite for our party at Pure for Thursday night"
Security Twits	Thursday July 29	8 pm – ?	Caesar's (suite TBD)	???	???
Defcon Fundraiser	Thursday July 29	???	Riviera Penthouse	???	Cost $40
KartCON	Thursday July 29	7:30pm – 11pm	FastLap – 4288 Polaris Avenue Las Vegas, NV 89103-8100	http://kartcon2010-owasp.eventbrite.com/	50mph Gokart tourney, with bar… win.
Defcon Toxic BBQ	Thursday July 29	5:30pm – 9pm	Sunset Park 7.6 miles from Riviera	http://www.toxicbbq.com/	BYOBBQ and some utensils. People will cook for you if you bring meat!
EFF Vegas 2.0 Party	Thursday July 29	???	Top of Riviera	Open to all, $40 at the door (donation)	All monies go to the EFF (you get a 1 yr. membership for your donation). DualCore, Minibosses, raffle, open bar and much, much more
Microsoft Party	Thursday July 29	9 pm – 11 pm	Vanity	Invite Only	Speakers and top notch security researchers.
Core Security Party	Thursday July 29	???	Sushi Roh	Invite Only	I've been to a CORE shindig before, they can sure throw a party, or atleast spend a grip of cash
ISEC Partners Party	Thursday July 29	10:00pm-TBD	V-Bar @ the Venetian	Invite Only	ISEC peeps are awesome.
Spiderlabs Party	Friday July 30	10:00 p.m. – TBDam	Riviera SkyBoxes	Invite Only (ask a lab spider for an inv)	DJ Keith Swiat, Open Bar, Spiders are 31337.
HackerPimps Party	Friday July 30	???	Riviera SkyBoxes	Invite (email pimpsparty at gmail dot com) @hackerpimps	Caption says it all…
Attack Research Party	Friday July 30	7pm – 2 am	Top of the Riv	Invite only.	Dr Raid, Dj Sailor Gloom , Thee Swank Bastards , Dj Dark Mark, Regenerator, Dj Style.
Ninja Party	Saturday July 31	9 pm – ?	Secret Offsite Loc	Invite Only – https://forum.defcon.org/showthread.php?t=11511&highlight=ninja	Last year i went as part of "the event that didn't happen" the EFF Sec Pillow fight. This year i might be SOL on an invite. The Ninja Party is the most 31337 party there is. I heard finding a ninja and asking them works well… but they are invisible! ='(
IOActive FreakShow	Saturday July 31	9 pm – 1 am	Top of the Riviera	http://www.facebook.com/event.php?eid=135300963167159 & http://www.ioactive.com/news_events_freakshow.html	Tower of Bendy Girls, DJ Keith and Crew, the Return of the Bungee Run, and Gladiator Joust.

This is what I know of atm, im sure im not privy to all the madness and will update accordingly. Also i heard @gattaca is gonna blog on parties too soon. =)

I'll be in Vegas from 23rd to the 1st. See ya there. Twitter DM's go to my mobile or you can email admin -a-t- securityaegis.com to meetup, shoot the sh*t, and have a good time!

*More party updates as they come… Thanks for reading!

* 7/18 Thanks for all the info from everyone on here and through twitter. Updated with toxic bbq, Qualys, Attack research, Sourcefire VRT.

*7/18 Massive update

*7/19 More parties added

*7/19 looking for info on mcafee party

*7/20 added 3 more parties by request of vendors…

*7/22 Added Mcafee party info

Blackhat and Defcon Parties belongs to Security Aegis